[cabfpub] Denial of all insurance coverage for Diginotar

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon May 5 23:15:43 UTC 2014


Surety/performance bonds are very expensive (or tie up a lot of the bonded customer’s assets), and they typically come only in a few standard flavors (typical situations where bonding is required).  They are also hyper-legal, and would have to describe exactly what powers the bonding company has.  I don’t think a bond exists today that would cover claims from bad certs.

Really, the types of potential liability to a CA’s customers and the public are not that much different than the types of liability and harm that any other technology company faces – browsers, servers, applications all can go wrong and hurt the public (credit card data stolen, etc.).  The companies that make those products and services have whatever liability to the public the law creates, but they are not required to have insurance or post bonds to sell browser software, servers, or applications.  I’m not sure why CAs face this special insurance requirement – we are the only ones in the security infrastructure to have to show insurance, as far as I can tell.

From: James Ryan [mailto:james at litmuslogic.com]
Sent: Monday, May 05, 2014 4:05 PM
To: Kirk Hall (RD-US)
Cc: ben at digicert.com; Phillip Hallam-Baker; public at cabforum.org
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

Has a surety/performance bond been considered before?

On Mon, May 5, 2014 at 6:20 PM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
[Getting pretty deep in law stuff here] If a company with insurance goes bankrupt, that does not cancel the insurance and it generally will continue to cover the company, even in bankruptcy.  However, the insurance is only for protection of the company, not claimants – if claimants benefit at all, it is only indirectly (if the insurer has to pay the claim after defending the company).  The claims may get caught up in the bankruptcy proceeding as well.

The one thing I can clearly tell you is – if the insurance has policy limits of, say, $5 million, that does NOT create a pot of $5 million in cash that sits in the bankruptcy court to be handed out to claimants.  Each claim will still be defended and defeated by the insurer, if possible, until the money runs out.

In Diginotar, the insurer apparently avoided all liability (even to injured third parties) because intentional bad acts by Diginotar cancelled the coverage – so Diginotar would be punished and get no protection or coverage from the insurer.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Ben Wilson
Sent: Monday, May 05, 2014 12:59 PM
To: 'Phillip Hallam-Baker'

Cc: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

But if the policy insures the entity itself, as has been argued, then the policy and proceeds therefrom are property of the estate, and assuming there are proceeds from the policy (except in the case of Diginotar nobody litigated it on behalf of the estate), then the trustee of the estate is entitled to distribute them to creditors and/or use them to determine solvency.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Phillip Hallam-Baker
Sent: Monday, May 05, 2014 12:33 PM
To: ben at digicert.com<mailto:ben at digicert.com>
Cc: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

Probably a very complicated business as DigiNotar was declared bankrupt

There is a big difference between an insurance policy that indemnifies the insured against claims by third parties and a policy that indemnifies the losses of third parties. Once bankrupt, the insured no longer exists and does not need protection against claims.


On May 5, 2014, at 1:44 PM, Ben Wilson <ben at digicert.com<mailto:ben at digicert.com>> wrote:

So, had Diginotar been more responsive on the breach, taking action early on, there would have been insurance coverage?

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Richard at WoSign
Sent: Sunday, May 04, 2014 6:37 PM
To: kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>; Adriano Santoni; CABFPub (public at cabforum.org<mailto:public at cabforum.org>)
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

Yes, when I consult my insurance broker the each type cert warranty amount, my insurance broker told me that the reparation never happen, so you can write any amount in your website since it the lost really happen it should go to the court and the insurance company will have 100 reason to deny the claim.

Why WoSign  endorse this ballot is NOT for reason that WoSign can’t afford it, we think it don’t bring any benefit to end user and waste the money.


Regards,

Richard

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Sent: Monday, May 5, 2014 12:49 AM
To: Adriano Santoni; CABFPub (public at cabforum.org<mailto:public at cabforum.org>)
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

I don’t know.  I do know that (in the US and Canada) all policies have “cooperation,” “duty to report incidents,” and “bad acts” clauses which are conditions to providing any coverage.  If the insured (Diginotar) fails to comply with those contractual provisions, it makes things harder for the insurer to handle any claims (and remember, the first duty of the insurer is to defend the insured and try to defeat the claims, not to pay the claims…  claims are only paid after litigation, etc., so the insurance is not there to help the public or injured customers).

Here, it’s my understanding that the insurer walked away, with the court’s approval, maybe because Diginotar failed to take action early on.

From: Adriano Santoni [mailto:adriano.santoni at staff.aruba.it]
Sent: Saturday, May 03, 2014 11:34 PM
To: Kirk Hall (RD-US); CABFPub (public at cabforum.org<mailto:public at cabforum.org>)
Subject: R: [cabfpub] Denial of all insurance coverage for Diginotar

This automatic translation is rather difficult to understand, to me. Who was the Insurer in this case?


Inviato da Samsung Mobile.

-------- Messaggio originale --------
Da: kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Data:03/05/2014 23:02 (GMT+01:00)
A: "CABFPub (public at cabforum.org<mailto:public at cabforum.org>)"
Oggetto: [cabfpub] Denial of all insurance coverage for Diginotar

Jeremy, in response to your question below -- it was Bob Relyea who found the link during our last CABF meeting stating (in translation) that Diginotar’s insurer denied all coverage, so there was no possibility of any recovery for claims by the public or customers.  See link.  That’s why it makes sense to delete the current coverage requirements.

----- Forwarded Message -----
From: Bob Relyea <bob at relyea.com<mailto:bob at relyea.com>>
To: Robert Relyea <rrelyea at redhat.com<mailto:rrelyea at redhat.com>>
Sent: Wed, 19 Feb 2014 15:29:26 -0500 (EST)
Subject: Diginotar

http://translate.google.com/translate?hl=en&sl=nl&u=http://webwereld.nl/beveiliging/77898-curator-diginotar-haalt-bakzeil-in-zaak-tegen-opta&prev=/search%3Fq%3Ddiginotar%2Bcurator%26biw%3D1280%26bih%3D775


-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, May 02, 2014 9:00 AM
To: Kirk Hall (RD-US); 'Gervase Markham'; public at cabforum.org<mailto:public at cabforum.org>
Subject: RE: [cabfpub] Ballot 121 - EVGL Insurance Requirements

Can you please send a link to the info about DigiNotar.  This is the first I've heard that the insurance company didn't have to pay anything to damaged end users and would like to investigate further.  My guess is that the claims were not being brought by the right party.




TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.






TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.



_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public


TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.



_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public



--
J. Ryan
Strategy Execution for Cyber Defense
(c) 571-228-1740
(e) james at litmuslogic.com<mailto:james at litmuslogic.com>

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140505/655cc161/attachment-0003.html>


More information about the Public mailing list